Few boards saw warning signs ahead of the Great Recession. Today directors’ engagement is higher—but the risk landscape is more complex.
The lines of employees, boxes in hand, abandoning Lehman Brothers’ dark offices on September 15, 2008, are hard to forget.
This was ground zero of the subprime mortgage crisis, when the highly leveraged investment bank declared bankruptcy—the largest in American history. It kicked off a cascade of events that would lead to the global recession. Credit markets seized, stock markets plunged and millions lost their jobs—and corporate boards got a big wake-up call.
Lehman’s board of directors had missed the signals of risk and potential disaster lurking under rosy quarterly statements. For example, the firm had for years employed a misleading accounting practice called “Repo 105” that hid its shaky finances—a practice so suspect that no U.S. law firms would grant approval.
As the global economy went into a tailspin and governments stepped in to help, policymakers, the media and the public all pointed fingers at a corporate governance system asleep at the wheel.
In the 10 years since the crisis, many governments have installed more stringent regulations to strengthen boards’ risk oversight practices. But boards are not just compelled by these new rules—broader expectations have shifted as well.
As U.S. Federal Reserve Chair Jerome Powell put it in 2017: “Across a range of responsibilities, we simply expect much more of boards of directors than ever before. There is no reason to expect that to change.” The new reality is that board members must vigilantly track the risks that could torpedo a company—financial or otherwise—or face consequences. Case in point: In early 2018, the U.S. Federal Reserve punished Wells Fargo for years of fraud and misconduct. A few months later, the bank agreed to overhaul its board.
New Expectations, New Risks
Compared with a decade ago, “there is a higher level of engagement among all board directors” when it comes to risks, says Nicholas M. Donofrio, who serves on the boards of Aptiv, the MITRE Corp., HYPR Corp., Quantexa and Syracuse University. Companies in highly regulated industries such as financial services, he notes, have had no choice but to pay more attention to risks.
Boards in these sectors are “continually looking at risks and thinking the unthinkable—any extreme risk you can model or simulate is a possibility that needs to be considered by the board,” Mr. Donofrio says.
“Any extreme risk you can model or simulate is a possibility that needs to be considered by the board.”
—Nicholas M. Donofrio, board member, Aptiv, the MITRE Corp., HYPR Corp., Quantexa, Syracuse University
In the United States and Europe, boards in the finance and banking sector are now expected to play a more robust risk oversight role. The Dodd-Frank Wall Street Reform and Consumer Protection Act, passed by the U.S. Congress in 2010, requires financial companies to explain why a CEO also serves as board chair.
Across the Atlantic, the European Commission established three new regulatory bodies in the wake of the crisis to ensure the European banking sector was also properly accountable. The commission created new rules and put pressure on boards to assure stakeholders and policymakers they could prevent similar crises in the future.
But the threat landscape board directors face has grown more complex in the last 10 years. In the age of disruptive technologies, directors must wrestle with risks beyond high debt levels and overvalued assets.
Mr. Donofrio recommends that boards “start to explore disruptive risks that no one wants to talk about,” such as those related to new technologies like artificial intelligence (AI). Board members cannot stay on the sidelines when it comes to emerging AI systems, he says—they need to pose questions like, “What if the data on which our system is learning has a built-in bias? What are the risks that a system designed for one purpose can be misused for another?”
Robyn Bew of the National Association of Corporate Directors (NACD) agrees that in the wake of the financial crisis a higher level of risk engagement by directors has become the norm across all sectors. Boards no longer see risk oversight as a standalone agenda item but have integrated these activities into overall board and committee work across the year, she says.
“Directors can no longer rely only on the information they get from management if they want to be effective in their core duties of overseeing strategy and risk.”
—Robyn Bew, director of strategic content development, National Association of Corporate Directors
What types of risks must directors be ready to examine today? One stands out: cybersecurity.
According to a 2018 survey of directors by Corporate Board Member and executive search firm Spencer Stuart, 61% of directors say their top concern is cybersecurity. Keeping hackers at bay is not just about protecting data—it is also about financial stability.
Last year Christine Lagarde, managing director of the International Monetary Fund (IMF), called cyber-risks “a significant threat to the financial system.” She cited an IMF study finding that cyberattacks cost banks roughly $100 billion per year.
Given the size of the threat, the U.S. Securities and Exchange Commission wants to ensure boards pay attention to cybersecurity. In a statement released last year, the agency directs corporations to disclose how boards are administering their oversight function with respect to cybersecurity risks.
As the bar gets higher, it is incumbent on boards to show they take the issue seriously.
But cybersecurity is just one part of an ever-evolving disruptive risk landscape. Since the financial crisis, volatility, uncertainty and complexity have all grown for many organizations. For this reason, the NACD Blue Ribbon Commission’s Adaptive Governance: Board Oversight of Disruptive Risks report, released in October 2018, calls for boards to actively assess the risks their organizations face.
Central to the NACD’s recommendations is that boards develop the ability to identify new disruptive risks through an “adaptive governance” approach. This requires building a board culture that is always searching for disruptive risks, while also investing in the skills needed to navigate such risks, according to the NACD.
For many boards, this would be a significant pivot. Nearly half of directors told NACD that their board tends to focus on oversight of known risks—those that management has already identified. “We believe this constitutes a failing grade,” write Blue Ribbon Commission co-chairs Sue Cole and Kelvin Westbrook. While most boards have changed their procedures in the wake of the financial crisis, many are still ill-equipped to deal with these unanticipated challenges.
What Can Be Done
So how can board directors remain fully cognizant of today’s risk landscape? For starters, seek outside resources and expertise. Board members should take a look at the information they currently receive about risks and then ask themselves what percentage of that information comes from management versus from independent advisers and other external sources, says Ms. Bew. Fifty-seven percent of boards primarily rely on management to keep up with current trends and innovations, while only turning to independent subject matter experts 15% of the time, according to a 2019 Corporate Board Member/EY study.
Given how quickly the business environment is changing, “directors can no longer rely only on the information they get from management if they want to be effective in their core duties of overseeing strategy and risk,” Ms. Bew says.
Another way to bolster risk oversight is to embrace rigorous self-assessments and enable more frequent board refreshing. NACD’s new report recommends that directors maintain awareness of their cognitive biases. Mr. Donofrio, a member of NACD’s Blue Ribbon Commission, would like to see more companies drive turnover with peer assessments and self-assessments, rather than relying solely on term limits or director elections to refresh boards. The goal is to prevent boards from ossifying into a passive oversight role.
“You don’t need stockholders to vote—it should be you and your board colleagues,” he says. He urges directors to ask themselves: Am I contributing? Am I adding value? Do I know enough? “If not,” Mr. Donofrio says, “put yourself on a path to get there. And if you can’t get there, leave.”
Creating a risk committee separate from the audit committee is another tangible step boards can take to get more serious about risks. The Dodd-Frank Act requires boards at U.S. financial institutions of certain types and sizes to maintain separate risk committees, with at least one risk management expert. But a growing number of companies across other sectors are concluding they also need a separate risk committee. According to Spencer Stuart’s 2018 Board Index, which surveys S&P 500 companies, 12% of boards had separate risk committees in 2018, compared with 8% in 2013.
Boosting a board’s gender diversity is another way to rein in risks. Good governance, along with stronger financial performance, is associated with gender diversity at the board level, Thirty Percent Coalition Executive Director Charlotte Laurent-Ottomane told Corporate Board Member late last year.
Steve Silberstein, who serves on the board of the Marin County Employees’ Retirement Association, told the magazine that the presence of women on corporate boards “substantially reduces the risk of fraud. Whether there’s a correlation or it’s causal, I’m not sure. But corporations with substantial numbers of women on their boards have less fraud.”
The bottom line is that to avoid being blindsided by an unknown risk, companies need board directors who embrace the familiar proverb “trust, but verify.” They must be willing to look at the facts and challenge conventional wisdom rather than just go with the flow.
“Ask the hard questions,” Mr. Donofrio says. “You reduce risk by engaging. That’s what I would hope we learned from 2008.”
This article appeared in the Fall 2019 issue of Insigniam Quarterly, with the headline “Canaries in the Boardroom.” To begin receiving IQ, go here.